blob: fbb9098fe56d242fec008f1aa88122cc8e943051 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
From 878269dbe74229005dd7f27aca66c554e31dad8e Mon Sep 17 00:00:00 2001
From: Paul Emge <paulemge@forallsecure.com>
Date: Mon, 8 Jul 2019 16:37:05 -0700
Subject: [PATCH] CVE-2019-13104: ext4: check for underflow in ext4fs_read_file
in ext4fs_read_file, it is possible for a broken/malicious file
system to cause a memcpy of a negative number of bytes, which
overflows all memory. This patch fixes the issue by checking for
a negative length.
Signed-off-by: Paul Emge <paulemge@forallsecure.com>
---
fs/ext4/ext4fs.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/fs/ext4/ext4fs.c b/fs/ext4/ext4fs.c
index 85dc122f3003..e2b740cac405 100644
--- a/fs/ext4/ext4fs.c
+++ b/fs/ext4/ext4fs.c
@@ -66,13 +66,15 @@ int ext4fs_read_file(struct ext2fs_node *node, loff_t pos,
ext_cache_init(&cache);
- if (blocksize <= 0)
- return -1;
-
/* Adjust len so it we can't read past the end of the file. */
if (len + pos > filesize)
len = (filesize - pos);
+ if (blocksize <= 0 || len <= 0) {
+ ext_cache_fini(&cache);
+ return -1;
+ }
+
blockcnt = lldiv(((len + pos) + blocksize - 1), blocksize);
for (i = lldiv(pos, blocksize); i < blockcnt; i++) {
--
2.17.1
|